Topic: How 999dice.com is stealing your coins, and exactly why you won't believe me - page 8. (Read 41936 times)

With a 5% chance of win thats not improbable at all

I concur.  
18 USC 1951

Fear includes fear of economic harm.  Legally speaking saying "pay up or I will sue" is extortion  which is why debt collectors say "under the law we have the right to sue" or something similar to make the threat in a legal way.  

Color of official right is like a cop saying "pay up or I will cite you with something".

There are many cases where news reporting of truthful statements is 100% legal.  The news can even quote someone who is completely wrong so long as  they make it a quote and do not just parrot what is said as if its fact.  Even in defamation cases (which is the best he could go for) which comes from tort law which is common law which dates back to about the 1400s England (before that defamation didnt really exist as a claim) truth is always a defense.  Reporting that someone else is saying something would absolve  them of any liability.  That is a truthful statement easily proved because they linked to this thread.  Now they can go after the OP of this thread and require the OP to prove his claims of cheating or pay up for a defamation case.  Caveat: opinions dont count.  saying "I think they are cheating" is not defamation, saying "they are cheating" is unless its true.

I doubt that will happen though.  Tort law includes emotional distress and how many internet trolls have you seen sued?  Man I would love to be the lawyer that gets that class action lawsuit.  Parasitically attach to the websites hosting the trollfests under the same premise that landlords have to put locks on the common areas in high crime areas because they are responsible for securing against harm to tenants.  I would win all the internets!

None of this is legal advise, I am a law student not a lawyer and certainly not *your* lawyer.  Saul Goodman is my hero.

Yes that is true. Next server seed (SHA256) can only be seen if user clicks on provable fair page. We will add it in every AJAX response from the server, so it won't be shown only on demand. Thanks!

For the record - I am completely, absolutely, not shocked.

The ability of people to believe crap "authority" tells them is without end. Admin writes back and says I'm extorting him, ACTUAL NEWS articles on a NEWS WEBSITE are removed.

I swear to god. I should start up my own scam-and-steal-from-you-site. The scammer sites receive more trust and support than those who were stolen from.

The site is designed to force you to request the hash on every roll. And there are people who honestly believe this shit.

.1% edge.

2000+ BTC profit (claimed)

And I'm an extortionist.

Absolutely stunning.

In all fairness I believe that the "anonymous source" is fake.  The documents were for another case with just the name changed.  Coinfire did not do proper due diligence before posting a defamatory story which does open up a tort claim.  I say this as a law student.  I am not a lawyer, I am certainly not *your* lawyer.  This is not legal advice.  

WOW. Holy. Fucking. Shit.

Seriously? NewsBTC removed the article? I just googled it. Clicked the link. It's gone.

WOW.

What a spineless pile of scumbags. Extortion? Really? It's not extortion...

Here, let me tell everyone about the "extortion" I engaged in:

Hey, Jake, you stole from me, give me my bitcoin back or I expose your bullshit scam everywhere!

Yes, clearly "extortion".

You steal from someone, they demand you return it, and now, apparently, thats extortion.

Hey, NewsBTC, way to have a spine, you worthless assholes.

Yes, I'll say that in public. You are a bullshit worthless news agency if you publish a story, then remove it, because an anonymous scammer threatens you.

Is this an email to newsbtc? How did you get a screenshot of it?

This guy just will not stop. So newsBTC wrote an article about them, then decided to remove it:




My theory is that this "Jake" guy sent them a message threatening them. Here is the message he sent me and my reply. God these scumbag scammers juts never stop this reminds me of Josh Garza and his bullshit accusations about coinfire and his legal threats. This guy has the audacity to go after me claiming that I am participating in extortion. Maybe we should all go after him for running an illegal gambling site for US citizens.

There is a bitcoin casino that publishes what the next will be with every bet.  They have multiple fields stating what the last one was and what the next one is.  This could be done anywhere, even if its separate on a per user per roll basis. 

999dice clearly does cookie tracking to identify users or you would not be able to have a balance without ever logging in or creating an account.  They have 4 cookies, AccountID, LastBetCurrency, Language and SessionID.  They also have an indexed DB which I think but have not confirmed is just used for  some functions that are exposed. 

Because of the AccountId cookie it would not be hard to know who  you are talking to and since they use MSSQL they could store what the next would be there or just make it part of the session so if you abandon it its gone.  Either way they could make it easier to  have a dynamic but displayed next seedHash. 

Its all about how the developer chooses to make this information available.  If this was not the scam before after this thread I am sure that there will be some that try it. 

Putting hash on "static", standalone page would mean they use same seed for every player and disclose it every day/ hour etc.
999dice generates new seed every roll, I can understand how it may require pushing the button to generate/show hash - as you said, even when using API you have to use seperate call to get server's seed hash - reason behind that may be the fact that normally all "magic" happens in one fuction, that takes care of generating server seed, mixing it with client seed and calculating result. Separate function that pre-generate server seed is not run unless you explicitly ask for it. Such construction simplifies the process as they don't have to store pre-generated server seed anywhere - it's generated on the fly during the bet. Yes, it does make changing client seed somehow useless, as without knowing server seed hash we still have to trust casino operator, but hey - 99% users trust the casino and the remaining 1% can click the button - maybe there are some savings in processing speed that makes this complication worthwhile.

I also wanted to ask you for a copy of your script.
No, I don't have 50btc but I'm sure it could be used with smaller sum of btc/doges too  


People play there because they have 0.1% house edge.
Plus they have server-side autobet meaning you can do 200 martingales in one go.
Don't get me wrong, I see sarcasm in your post  


Every bot should have built in bet verifier.
I can't remember if that one available @ 999dice have this option... Even if it does, you would have to build it from the source (and read the source first).

I think their RNG is flawed based on some analysis.  Not horribly so but enough that you do not get an even distribution of numbers.  If I had to guess I would guess they use sql server as their entropy source.  rand() gets its seed in part from time() which does not have  sufficient entropy to create an even distribution over time.

They also appear to have a flawed method of using the server seed.

Server Seed: 035a30aeb639002a3bf131ada765b18840bf4c8e5912ff7f2efe6e6993e949e2
Server Seed Hash: 88f41de51f58329026807b0a1464a6264052fe074e30274472fb63abed77915a

Yet in the code examples we see
@serverSeed binary(32),

If you will notice the server seed is larger than the space allotted for it in the first code example.  Because of the abstract types in the 2nd C# example this does not appear to be an issue.  The site however claims the first example is the actual code they use on the site.  They verify it all  through MSSQL.  This would imply that either that is no longer the validation code or they are truncating the seed.  

I have lost over 5 btc to 999dice.  It definately seems like a scam in the way that if you need a crucial win to recover it will roll the opposite side or just out of range conveniently.  Even after an improbable loss streak.

This was after I reached max payout on 250+ losses.  I tried to recover at maxpayout and lost another 830k doge after losing 400k doge.   I knew I shouldn't have chased this loss but it just seeems a bit ridiculous.

http://prntscr.com/62shxu

what about autobets where you have to iterate through several just to see if that one is the way you want?  eg it works like a multiplier?
What about the load of doing this to everyone as is implied?  Presumably they are not just screwing you over (if they are doing it at all). 

hundreds of bets per second, maybe thousands with some doing autobetting (there are several userscripts to do that) plus the load of the web server, MSSQL server, etc.  It is a one box show apparently.  Its also running on windows 2008 which depending on who you talk to is better in terms of performance than windows 8 server. 

The contention rate that would exist is actually quite high, if what you propose is going on.  It would be extremely noticeable if all that was going on.  However even with that timestamps  have been used to fingerprint the clock skew of a specific system even if it physically moves networks, or hides behind TOR hidden services.  There are methods that have some pretty fine accuracy.  Read the footnotes of the papers I provided as well, that will give you 10 or so other papers you can read on the subject.  The Pearson book I listed is partially available on Google Books so partially free to read (I only found it because I was searching for who cited my paper, they misspelled my name which makes me think there are no fact checkers on it so it may not be worth buying - I read nothing other than the footnote so I dunno its overall quality).



you really should read the one about guessing valid usernames.  In that one using tcp timestamps they were able to  tell if a username was valid because it would return faster by not comparing the password and doing the single hash on the supplied password.  That is just one hash, on a server far away, with other things going on.

It would at least let you confirm the theory if its really happening. 

Why not create a proxy website that allows users tohave every bet verified?

This is a great, well-written post. If the site turns out to be a scam (which seems likely), I hope justice is served to whomever is running it. Great job keepinquiet and I hope you get your btc back.

Joter - a suggestion? Your site is very much like 999dice. You need to click something and send uniquely identifiable information to the server to see the hash before the roll is made.

It's impossible for "not me*" to see the hash before the bet without telling the server "Hey, I'd like to see the hash for my next bet plz, I'll be watching."

It's the same thing 999dice does.

Reason I think, in your case, is it's an oversight, is that it would take balls of steel to post an ad for your site in my thread, pointing it out to a guy who did extreme technical analysis of a betting site, and think I wouldn't notice.

Want to bring your site fully into "theres no way we are cheating you" land? Put the hash on the betting page. SHOW ME the hash ALL the time. Don't make me tell you I'm looking.

I'll tell you what though, applause for having the client seed being generated client side via javaqscript when you click the randomize button. I was afraid it was coming from the server, but poking into the source briefly, it does appear to be client side.

* By "not me" I mean I have to be logged in/have my cookie sent to the server to see the seed. Its impossible to load the seed without telling the server I'm looking at it. Since the seeds are individual per user and not static for the site for the day, I have to identify myself to see the seed, thus leaving room for the possibility of cheating.

Which is exactly why the title said "and exactly why you won't believe me".

The best scams are the ones that convinced the scammed that they aren't being scammed, and recruit them to defend the scammer. Cults have done this for a long time. It's nothing new.

You say it's possible they are using fake seeds Almost all betting sites MAY be using fake seeds. Almost none of them force you to set your own client seed. They pick it for you. When they do that, they can make your results whatever they want them to be. They all MAY be doing it.

I say it's very probable that 999dice is doing it, precisely because the site is designed in such a way that you must inform the site if you are going to validate a bet, before you can write down the hash to validate it.

If the cops call the drug dealer 30 minutes before they are busting the door in, do you think the cops will ever find drugs there?

If there were some weird law that FORCED cops to notify criminals they were coming 30 minutes in advance, do you think the fact the cops NEVER found and arrested anyone is proof that there are no criminals?

Or is it more likely they are just ditching the place before the cops get there?

Havent read it yet, will later, maybe I don't fully understand. I do know that ICMP is slower. But my point is that if I can do 300 hashes in .7 milliseconds, the "hardest" to brute force bet is a 95% win, in which case you will need, on average, 11 hashes to force. In extreme cases, it will take 350+ or so (the largest number of "losses" in a row I saw for 5% bets, which is obviously not the maximum, but in 100,000,000 runs, a 95% chance roll happened 349 times once or twice), which is why I chose to hash 300 and time that.

And on a web server that appears to be hosted in germany, with random amounts of internet traffic, unknown amounts of server load, unknown amounts of user load on the site, you'd be hard pressed to notice a delay which could be anywhere between .002ms and 10ms, and attribute it to brute forcing a new hash. I havent checked on tcp timestamps, but are they accurate to the .000001th of a second?

And that being said, it's the easiest thing to defend against. All he needs to do is read this thread, see someone might try that, and simply add a usleep(mt_rand(100, 100000)); to the 'check if the bet won and maybe rehash it' function. (Assuming he's using PHP, which he isnt, because his site is done in windows for some bizzare reason).

How do you analyze the tcp timestamps when the server is adding random amounts of delay to every request. Delays so small no one would ever notice the site is running slower, but large enough to completely ruin any testing where you're trying to sense the differene between .002ms and .004ms?

Or you can actually think for yourself and look at and analyze how the site works. Blatantly trusting "the admin" is a recipe for disaster. *I* trusted the site because it's very well done and LOOKS legit. You can even verify bets. Thats the beauty of it.

And those making profit every day... how much? The smart players making profit every day, how much profit are they making?

Because I saw a lot of that chat room scroll by during my time there using the web interface. And the vast majority was people looking for people to "invest" and others happily investing. Also a lot of people bragging about their balances of .00048172 BTC.

There's a feature I was unaware of that will spam your larger bets to the chat room. The first time I ever asked a question in there, I was prased as a god as people saw my 1.5 BTC bets that won 4.5 BTC (33% odds). I was then also innundated by requests to invest in them. I also learned that "investing" was trusting some other rube who has no better odds than you do, to bet your money for you. That was a sobering moment.

Anyone who is betting there and making any profit at all that is worth mentioning is doing it quitely and not advertising it. And I guarantee you they aren't bragging about it in the chat room for you or anyone else to know.

That being said, I seriously doubt ANYONE is actually profiting for real there.

And a quick side note: I'm pissed I was scammed out of the BTC from a site that goes above and beyond to APPEAR to be legit, however, even more infuriating is the site stealing from the tons of people in the chat room who likely can't AFFORD to be losing money there.

People who have money to gamble arent begging for tips and begging for investors just so they can give it "just one more shot!"

Those are the people who can't afford it. And those are the ones who are being hurt infinitely more than I was. And THAT makes me angry as hell.